What is the BEST information to present to business control owners when justifying costs related to controls?

A. Return on IT security-related investments
B. The previous year’s budget and actuals
C. Industry benchmarks and standards
D. Loss event frequency and magnitude

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

A. collaborate with management to meet compliance requirements
B. conduct a gap analysis against compliance criteria
C. identify necessary controls to ensure compliance
D. modify internal assurance activities to include control validation

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

A. accepted
B. mitigated
C. transferred
D. avoided

An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

A. Number of customer records held
B. Number of databases that host customer data
C. Number of encrypted customer databases
D. Number of staff members having access to customer data

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

A. Percentage of vulnerabilities remediated within the agreed service level
B. Number of vulnerabilities identified during the period
C. Number of vulnerabilities re-opened during the period
D. Percentage of vulnerabilities escalated to senior management

Which of the following should be an element of the risk appetite of an organization?

A. The enterprise’s capacity to absorb loss
B. The effectiveness of compensating controls
C. The amount of inherent risk considered appropriate
D. The residual risk affected be preventive controls

Which of the following is a KEY outcome of risk ownership?

A. Risk-related information is communicated
B. Risk responsibilities are addressed
C. Risk-oriented tasks are defined
D. Business process risk is analyzed

An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?

A. Data destruction requirements
B. Cloud storage architecture
C. Data retention requirements
D. Key management

Which of the following is the GREATEST risk associated with using unmasked data for testing purposes?

A. Confidentiality
B. Integrity
C. Availability
D. Accountability

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise’s brand on Internet sites?

A. Utilizing data loss prevention technology
B. Scanning the Internet to search for unauthorized usage
C. Monitoring the enterprise’s use of the Internet
D. Developing training and awareness campaigns